Browsed by
Tag: PowerShell

File System Attacks – Insider Threat Podcast #9

File System Attacks – Insider Threat Podcast #9

In the ninth edition of the Insider Threat Podcast Jonathan Sander and I did a little role reversal. I played Zorak to Jonathan’s Space Ghost and was asking the questions – the topic this week is File System attacks. A topic that we have noticed not many struggle with, but one that we increasingly see as an attack vector. Jonathan has been researching these attacks recently and has been blogging about them in length. So we sat down to talk…

Read More Read More

Attack Step 3: Persistence with NTFS Extended Attributes – File System Attacks

Attack Step 3: Persistence with NTFS Extended Attributes – File System Attacks

What Does Persistence Mean on a File System? In our first file system attack, we found places where we’re likely to get good data with the credentials we’ve been able to steal. Our second attack let us focus in on only the data that is worth the time to steal so we can lessen the chances of getting caught – or at least get the best stuff before we do. The final stage in these attacks is typically persistence. Finding…

Read More Read More

Attack Step 2: Targeting Interesting Data – File System Attacks

Attack Step 2: Targeting Interesting Data – File System Attacks

Sifting Through The Sands In the last post, we looked at how to find file shares where data we may want to steal lives. We used both Python based and PowerShell based approaches to this. Now we’re going to take the next step and find actual files of interest. Even the smallest organization can have many thousands of files. The bad guys would drown in all that data if they didn’t have ways to narrow down what they’re looking for….

Read More Read More

Attack Step 1: Finding Where Data Lives – File System Attacks

Attack Step 1: Finding Where Data Lives – File System Attacks

Finding Where Interesting Information May Live We’re going to make some assumptions at the start of this attack. We will assume we already have full access to any credentials we need. Why? Because we’ve already shown you how you can grab any credential you might need all the way up to the highest level of administrative rights. The question you now need to ask is this: what can you do with those rights? Credentials are the means, but data is…

Read More Read More

How Attackers are Stealing your Credentials with Mimikatz – Insider Threat Podcast #6

How Attackers are Stealing your Credentials with Mimikatz – Insider Threat Podcast #6

In our sixth edition of the Insider Threat Podcast, once again we spoke with our resident white hat hacker, Jeff Warren. Jeff has just finished another in our ongoing blog series about insider attacks on Active Directory (AD). This time, the focus was the Mimikatz toolkit and all the ways it’s being used to exploit weaknesses in AD. You can find out more in the main series of blog posts about Mimikatz attacks as well as supplementary posts covering Skeleton…

Read More Read More

Ways to Detect and Mitigate PowerShell Attacks

Ways to Detect and Mitigate PowerShell Attacks

Detect and Mitigate PowerShell Attacks PowerShell has grown as an attack platform against Windows systems as a way for attackers to “live off the land” and use tools that are natively available. We’ve already looked at Empire, DeathStar, and CrackMapExec and how those tools leverage PowerShell to invoke Mimikatz and initiate other attacks. In this post, we will explore what you can do to detect and protect against PowerShell attacks. What’s So Great about PowerShell? There are several reasons attackers…

Read More Read More

Lateral Movement with CrackMapExec

Lateral Movement with CrackMapExec

In the previous post, we explored how attackers can use Mimikatz to automatically escalate privileges to Domain Admins using Empire and DeathStar. In this post, I will take a look at another open-source tool that leverages Mimikatz to harvest credentials and move laterally through an Active Directory environment: CrackMapExec. Self-described as a “swiss army knife for pentesting networks”, CrackMapExec is a Python-based utility that is geared towards evaluating and exploiting weaknesses in Active Directory security. This approach involves gathering credentials…

Read More Read More

Manipulating User Passwords with Mimikatz

Manipulating User Passwords with Mimikatz

Introduction: Manipulating User Passwords with Mimikatz Mimikatz now supports the ability to manipulate user passwords with new commands: SetNTLM and ChangeNTLM. These commands give attackers a new way to change user passwords and escalate privileges within Active Directory. Let’s take a look at these NTLM commands and what they do. ChangeNTLM This performs a password change event. To use this command, you must know the old password in order to set a new one. One deviation is that this command…

Read More Read More